Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

Host Header Injection

Avatar

Community Advisor

We have a security scan risk where the request from the browser in Burp is intercepted, modified to have a malicious host, and sent to the server. We have observed that the server redirects to a malicious site.

Below are my queries:

  1. Is there any way to Validate the Host header?
  2. Will there be any consequences if we remove the host from the client headers (if point 1 is not possible)
  3. Can we add a redirect rule to make sure the modified header is redirected to our own site?

I got the reference to points 2 and 3 from here: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/additional-headers-on-disp...

 

Any help on this would be appreciated.

 

Environment: AEM as cloud service, 2023.3.11382.20230315T073850Z version

 

@arunpatidar @kautuk_sahni 

 

Thanks,

Kiran Vedantam.

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Header always unset host

 

<If "%{HTTP_HOST} == 'mywebsite'">
</If>
<Else>
  RewriteRule ^.*$ http://mywebsite/404 [L]
</Else>


Arun Patidar

View solution in original post

3 Replies

Avatar

Community Advisor

Hi @Kiran_Vedantam 
You can do following :

1. Remove the host header from response, I don't see any harm.

2. Whitelist the Publisher/dispatcher IP at CDN

3. Check host header in request header 

https://stackoverflow.com/questions/69350714/how-to-make-my-apache-website-accept-only-host-header-w... 



Arun Patidar

Avatar

Community Advisor

Thanks for the response @arunpatidar 

 

Can you please help me with the working piece of code for points 1 and 3 that you have mentioned?

 

Thanks,
Kiran Vedantam.

Avatar

Correct answer by
Community Advisor
Header always unset host

 

<If "%{HTTP_HOST} == 'mywebsite'">
</If>
<Else>
  RewriteRule ^.*$ http://mywebsite/404 [L]
</Else>


Arun Patidar